Lanware leads the field in London FI sector with ISO27001 certification and regular pen tests
This case study shows how IT Governance helped Lanware achieve ISO27001 certification. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on +44 (0) 845 070 1750 to discuss your own ISO27001 consultancy requirements.
Lanware Case Study
Lanware, technology partner to the financial world, has achieved ISO27001 certification – the industry standard for information security management. As an outsourcing provider, it was important that Lanware could demonstrate to all its financial services clients that its business and IT services were absolutely secure.
Lanware focused on finding a mature and internationally recognised solution that would bring information security directly under management control. The ISO27001 standard was selected and Lanware reached out to industry experts, IT Governance Ltd, to assist in its implementation across the business.
Background
The financial industry is Lanware’s principal market and securing data has long been considered of paramount importance.
In 2012, Lanware’s top management re-examined their approach to information security. A rapidly expanding business combined with the all-encompassing nature of its outsourcing services and FCA client base demanded the need to further formalise and strengthen information security across the business.
Providing world-beating ‘cyber security’ and information security was important to Lanware in assuring their supply chain and protecting their own and their clients’ business reputations. But it was also seen as an area of operational activity that could, with external audit assessment, be treated as a differentiating factor in growing their market share.
Requirements
Managing Director Henry Duncombe was the driving force behind the project. Just as Lanware embodies technical best practice and high levels of service quality, Henry believed that information security was a matter that needed expert attention. He sought the engagement of a professional services firm with a strong track record in projects involving ISO27001 certification.
IT Governance Ltd was selected from a number of companies in the field because of their responsiveness in answering Lanware’s questions and the favourable recommendations made by former IT Governance clients who had gained ISO27001 certification.
“Finding the right supplier of consultancy services was the key as far as we were concerned,” said Carl White, Service Manager.
Click here to read more »
“With Lanware’s partnership all of our clients have consolidated their IT into our cloud-based solution. Whilst we know that this solution is inherently more secure than clients maintaining their own on-site servers, a natural anxiety over cloud systems can exist for some prospective clients. We know from experience though that our approach, based on the use of enterprise-level Data Centres, platforms, Citrix-based thin clients and robust disaster recovery is a far more reliable, stable and secure platform than the traditional alternative.
“We wanted to show that our focus from technology through to security was supported by enterprise-level processes and procedures. Security in particular is a growing concern for all of our clients, whose enterprises are under constant risk of cyber-attack. Not surprisingly, fund managers, insurance brokers, banks and a variety of support services in the City of London are ramping up their defences. At the same time, the attractiveness of cloud-centric solutions in terms of growing business and reducing costs is also overwhelming.
“We were already well underway with our ISO27001 programme by the time that our clients began asking us about compliance and whether we had an ISMS that they could audit. IT Governance gave us the confidence to accelerate the process of gaining certification – which we achieved thanks to their help – in line with project timescales. We were really glad that we took the initiative when we did, because, the threat climate is clearly increasing on a daily basis.
“By that time, we had already determined the external and internal risks that are relevant to our role as a technology provider in the FI. We had determined the boundaries and applicability of the Information Security Management System to establish its scope. As the Standard requires, we had carried out an effective and thorough asset-based risk assessment – assisted by IT Governance whose consultants, Tony Drewitt and Richard Campo, guided us in how best to identify and classify assets. Many projects flounder, we were reliably told, as a result of spending too many hours struggling with the risk assessment and seemingly never reaching the point of completing an effective risk treatment plan. Our own met with the full approval of BSI’s assessor, who straight away saw that we had identified the relevant risks associated with the loss of confidentiality, integrity and availability for information within scope of the information security management system. We had assessed the potential consequences that would result if the risks were to materialise, and how to mitigate those risks.”
Process
Carl outlines the process followed by Lanware’s team, who were assisted by weekly on-site visits by IT Governance consultants. “Our documented information provided evidence that we had selected appropriate information security risk options, taking account of the risk assessment results. And of course, we had determined all the necessary controls necessary to implement the information security risk treatment options that we had chosen.
“Our planning showed clearly to the assessor that we knew how to achieve our information security objectives; including what to do, what resources were required, who would be responsible, when it would be completed; and how the results would be evaluated. All this due diligence fits with our business objectives and strategy. For over 10 years we have focused on enabling Financial Services organisations to grow by increasing their productivity and better managing risk. Our information security management system is a long-term commitment and fits with our stable business model that appeals to the industry that we serve.
Click here to read more »
“We have close relationships with like-minded clients who are all united by similar values. Clients whose businesses are fully-regulated by the FCA and who understand the importance of compliance. The FCA is putting increasing emphasis on knowing your suppliers and expects evidence in service reviews. When the companies that we work with are approached for evidence of their IT security, we can provide not only a valid ISO27001 certificate but also sight of our risk register and risk treatment plan.
“This came about in part because we had IT Governance to advise and train us in exactly what to do. We also had the benefit of regular IT Governance penetration testing reports to help us identify vulnerabilities following comprehensive scans and attempted exploits that gave us a better picture of what could go wrong. This informed our risk treatment plan further and enabled us to put in place robust controls that added several layers of security. What we had before was good. After, it was independently deemed excellent.”
Outcome
So, has ISO27001 given Lanware a clear business advantage?
In the words of Henry Duncombe, Managing Director of Lanware: “In partnership with IT Governance, we carefully developed our own Information Security Management System which supports the provision of IT services to the Financial Services sector. For us it’s been just as much about good business practice as security, and we have tried throughout to focus on the context of our organisation and the level of assurance required by our clients.
“To achieve certification to the ISO standard Lanware had to assess all areas of potential risk across the business. This assessment showed that many of the existing physical, environmental and technical security controls were in line with industry expectations and the focus needed to be more on areas such as the internal organisation of security and the consistent application of new policies and procedures.
“For any company thinking of outsourcing to a services provider, the issue of the data security offered by their prospective partner should be a primary concern," Henry says. "At Lanware we do not shy away from the fact that we present a potential risk to our clients. We are a critical link in the supply chain and by recognising that risk and dealing with it effectively, we put ourselves in the best position to build trust and stronger relationships."
Click here to read more »
As a result, Lanware has developed new controls. Examples include robust procedures to report and resolve information security incidents, access control policies, third party management and periodic security awareness training for every member of the Lanware team. Uniquely, Lanware established a secure administration access zone (AAZ) to control the administration of client systems. All administration tasks carried out by engineers must be completed from a secure server, with sessions being continuously recorded using a virtual CCTV system. This reduces the risk of any unauthorised changes to client systems, provides stronger access control and offers an easy audit trail for any problem investigations.
Tony Drewitt, Head of Consultancy for IT Governance, says: "We are pleased to have helped Lanware achieve ISO27001 certification. Our risk consultant provided regular on-site and remote support to integrate Lanware’s controls into a structured and harmonised ISMS. We also provided supporting documentation, training and internal audit. Lanware was a great project to work on, as there was commitment and hands on involvement from the senior management team throughout the implementation with input and ownership from the business operational teams. It was evident that there was significant investment in information security, with the implementation of technology and supporting processes that ensured the ongoing effectiveness of the ISMS and resulted in the successful certification."
Next Steps
Carl is taking the ISO27001:2005 certification through transition to ISO27001:2013 and is looking forward to further developing IT service management at Lanware in line with ITIL good practice. Lanware has even managed to incorporate information security into a ticket system for service desk management. Carl intends to roll this out to all Lanware’s industry clients. Whenever there is an incident or concern regarding security, they can report this to the IS team in the form of a ticket. “It’s been very well received as a service by our clients.”
Will Lanware gain ISO20000 certification ahead of the major organisations in UK FI considering the ITIL-based standard? “Perhaps,” says Carl, “But for now we have a USP compared to other technology providers: we are ISO27001 certified!”
Download this case study now
To get a PDF version of this case study enter your email address below and we will send you a copy straight away.
Just as we have helped our client to achieve certified ISO27001 compliance on time and within budget so we can help you. Call us now on 00 800 48 484 484.